-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-012 CVE: CVE-2022-23679, CVE-2022-23680, CVE-2022-23681, CVE-2022-23682, CVE-2022-23683, CVE-2022-23684, CVE-2022-23686, CVE-2022-23687, CVE-2022-23688, CVE-2022-23689, CVE-2022-23690, CVE-2022-23691 Publication Date: 2022-Aug-30 Status: Confirmed Severity: High Revision: 1 Title ===== AOS-CX Switches Multiple Vulnerabilities Overview ======== Aruba has released updates for wired switch products running AOS-CX that address multiple security vulnerabilities. Affected Products ================= Customers using the following switch models and firmware versions are affected by the vulnerabilities listed in this advisory. Aruba Switch Models: - AOS-CX 10000 Switch Series - AOS-CX 9300 Switch Series - AOS-CX 8400 Switch Series - AOS-CX 8360 Switch Series - AOS-CX 8325 Switch Series - AOS-CX 8320 Switch Series - AOS-CX 6400 Switch Series - AOS-CX 6300 Switch Series - AOS-CX 6200F Switch Series - AOS-CX 6100 Switch Series - AOS-CX 6000 Switch Series - AOS-CX 4100i Switch Series Software branch versions: - AOS-CX 10.10.xxxx: 10.10.0002 and below. - AOS-CX 10.09.xxxx: 10.09.1020 and below. - AOS-CX 10.08.xxxx: 10.08.1060 and below. - AOS-CX 10.06.xxxx: 10.06.0200 and below. Not all vulnerabilities in this advisory affect all AOS-CX branches. If an AOS-CX branch is not listed as affected, it means that any AOS-CX version in that given branch is not affected. For example, the 10.10.xxxx branch is not affected by CVE-2022-23684. CVE-2022-23691 only affects the following models: - AOS-CX 10000 Switch Series - AOS-CX 9300 Switch Series - AOS-CX 8325 Switch Series - AOS-CX 8320 Switch Series The following unsupported branches of AOS-CX software were not validated and may contain these vulnerabilities: - AOS-CX 10.07.xxxx - AOS-CX 10.05.xxxx and below. Unaffected Products =================== Any other Aruba products not listed above including AOS-S Switches, Aruba Intelligent Edge Switches, and HPE OfficeConnect Switches are not affected by these vulnerabilities. Details ======= Failure to provide CSRF Protection (CVE-2022-23679, CVE-2022-23680) --------------------------------------------------------------------- AOS-CX lacks Anti-CSRF protections in place for state-changing operations. This can potentially be exploited by an attacker to execute commands in the context of another user. Internal references: ATLAX-4 Severity: High CVSSv3 Overall Score: 8.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L Discovery: These vulnerabilities were discovered and reported by Zombiehelp54 (bugcrowd.com/zombiehelp54) via Aruba's Bugcrowd program and Ken Pyle - Partner & Exploit Developer, CYBIR & Graduate Professor of Cybersecurity at Chestnut Hill College. Affected Versions: - AOS-CX 10.10.xxxx: 10.10.0002 and below. - AOS-CX 10.09.xxxx: 10.09.1020 and below. - AOS-CX 10.08.xxxx: 10.08.1060 and below. - AOS-CX 10.06.xxxx: 10.06.0200 and below. Resolved Versions: - AOS-CX 10.10.xxxx: 10.10.1000 and above. - AOS-CX 10.09.xxxx: 10.09.1030 and above. - AOS-CX 10.08.xxxx: 10.08.1070 and above. - AOS-CX 10.06.xxxx: 10.06.0210 and above. Authenticated Command Injection Vulnerability in AOS-CX Command Line Interface (CVE-2022-23681, CVE-2022-23682) --------------------------------------------------------------------- Multiple vulnerabilities exist in the AOS-CX command line interface that could lead to authenticated command injection. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete switch compromise. Internal references: ATLAX-52, ATLAX-53 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Affected Versions: - AOS-CX 10.09.xxxx: 10.09.1030 and below. - AOS-CX 10.08.xxxx: 10.08.1030 and below. - AOS-CX 10.06.xxxx: 10.06.0180 and below. Resolved Versions: - AOS-CX 10.10.xxxx: 10.10.0002 and above. - AOS-CX 10.09.xxxx: 10.09.1040 and above. - AOS-CX 10.08.xxxx: 10.08.1080 and above. - AOS-CX 10.06.xxxx: 10.06.0220 and above. Authenticated Remote Code Execution in AOS-CX Network Analytics Engine(NAE) (CVE-2022-23683) --------------------------------------------------------------------- Authenticated command injection vulnerabilities exist in the AOS-CX Network Analytics Engine via NAE scripts. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying operating system, leading to a complete compromise of the switch running AOS-CX. Internal reference: ATLAX-30 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Affected Versions: - AOS-CX 10.10.xxxx: 10.10.0002 and below. - AOS-CX 10.09.xxxx: 10.09.1030 and below. - AOS-CX 10.08.xxxx: 10.08.1070 and below. - AOS-CX 10.06.xxxx: 10.06.0210 and below. Resolved Versions: - AOS-CX 10.10.xxxx: 10.10.1000 and above. - AOS-CX 10.09.xxxx: 10.09.1040 and above. - AOS-CX 10.08.xxxx: 10.08.1080 and above. - AOS-CX 10.06.xxxx: 10.06.0220 and above. Authenticated Privilege Escalation in the Web-Management Interface (CVE-2022-23684) --------------------------------------------------------------------- A vulnerability in the web-based management interface of AOS-CX could allow a remote authenticated user with read-only privileges to escalate their permissions to those of an administrative user. Successful exploitation of this vulnerability allows an attacker to escalate privileges beyond their authorized level. Internal reference: ATLAX-63 Severity: High CVSSv3 Overall Score: 7.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N Discovery: This vulnerability was discovered and reported by Aruba's internal engineering team. Affected Versions: - AOS-CX 10.09.xxxx: 10.09.1020 and below. - AOS-CX 10.08.xxxx: 10.08.1060 and below. - AOS-CX 10.06.xxxx: 10.06.0200 and below. Resolved Versions: - AOS-CX 10.10.xxxx: 10.10.0002 and above. - AOS-CX 10.09.xxxx: 10.09.1030 and above. - AOS-CX 10.08.xxxx: 10.08.1070 and above. - AOS-CX 10.06.xxxx: 10.06.0210 and above. Local Authentication Bypass Vulnerability in Recovery Console (CVE-2022-23691) --------------------------------------------------------------------- A vulnerability exists in certain AOS-CX switch models which could allow an attacker with access to the recovery console to bypass normal authentication. A successful exploit allows an attacker to bypass system authentication and achieve total switch compromise. Internal reference: ATLAX-67 Severity: Medium CVSSv3 Overall Score: 6.1 CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Discovery: This vulnerability was discovered and reported by Aruba's internal engineering team. Affected Versions: - AOS-CX 10.10.xxxx - 10.10.0002 and below. - AOS-CX 10.09.xxxx - 10.09.1030 and below. - AOS-CX 10.08.xxxx - 10.08.1070 and below. - AOS-CX 10.06.xxxx - 10.06.0210 and below. Resolved Versions: - AOS-CX 10.10.1000 - 10.10.1000 and above. - AOS-CX 10.09.xxxx - 10.09.1040 and above. - AOS-CX 10.08.xxxx - 10.08.1080 and above. - AOS-CX 10.06.xxxx - 10.06.0220 and above. Multiple Vulnerabilities in AOS-CX LLDP Service (CVE-2022-23686, CVE-2022-23687, CVE-2022-23688, CVE-2022-23689) --------------------------------------------------------------------- Multiple vulnerabilities exist in the processing of packet data by the LLDP service of AOS-CX. Successful exploitation of these vulnerabilities may allow an attacker to impact the availability of the AOS-CX LLDP service and/or the management plane of the switch. Internal reference: ATLAX-55 Severity: Medium CVSSv3 Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: This vulnerability was discovered and reported by Qian Chen (@cq674350529) from Codesafe Team of Legendsec at QI-ANXIN Group. Affected Versions: - AOS-CX 10.09.xxxx: 10.09.1010 and below. - AOS-CX 10.08.xxxx: 10.08.1050 and below. - AOS-CX 10.06.xxxx: 10.06.0190 and below. Resolved Versions: - AOS-CX 10.10.xxxx: 10.10.0002 and above. - AOS-CX 10.09.xxxx: 10.09.1020 and above. - AOS-CX 10.08.xxxx: 10.08.1060 and above. - AOS-CX 10.06.xxxx: 10.06.0200 and above. Unauthenticated Sensitive Information Disclosure in AOS-CX via Web-Management Interface (CVE-2022-23690) --------------------------------------------------------------------- A vulnerability in the web-based management interface of AOS-CX could allow a remote unauthenticated attacker to fingerprint the exact version AOS-CX running on the switch. This allows an attacker to retrieve information which could be used to more precisely target the switch for further exploitation. Internal reference: ATLAX-54 Severity: Medium CVSSv3 Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Discovery: This vulnerability was discovered and reported by Ken Pyle - Partner & Exploit Developer, CYBIR & Graduate Professor of Cybersecurity at Chestnut Hill College Affected Versions: - AOS-CX 10.09.xxxx: 10.09.1010 and below. - AOS-CX 10.08.xxxx: 10.08.1050 and below. - AOS-CX 10.06.xxxx: 10.06.0190 and below. Resolved Versions: - AOS-CX 10.10.xxxx: 10.10.0002 and above. - AOS-CX 10.09.xxxx: 10.09.1020 and above. - AOS-CX 10.08.xxxx: 10.08.1060 and above. - AOS-CX 10.06.xxxx: 10.06.0200 and above. Resolution ========== In order to address the vulnerabilities described above for the affected release branches, it is recommended to upgrade the software to the following versions (where applicable): - AOS-CX 10.10.xxxx: 10.10.1000 and above. - AOS-CX 10.09.xxxx: 10.09.1040 and above. - AOS-CX 10.08.xxxx: 10.08.1080 and above. - AOS-CX 10.06.xxxx: 10.06.0220 and above. Aruba recommends that users using the following branches upgrade to 10.10.1000 and above to address these vulnerabilities: - AOS-CX 10.07.xxxx - AOS-CX 10.05.xxxx and below. Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Contact Aruba TAC for any configuration assistance. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2022-Aug-30 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmMI8CYACgkQmP4JykWF htmzDwf/RIVgv85+wu59W8/EpzLO1VBUYLmFya9ITEozJ3xQ7f5JBfBq2tuP71fq pHZ9faQqKHHAXE5XToIBGki3ZZz1qo62ic7uDD4uudhs6OK7w3uSm3pp2JdJRVtK 9wjJlhI923i4r2p2MFCgNsCuUR7NQksvsmxYjV5qQOG01KRhneXhywd1VVnlsX00 +jt54OZkzNuKYfzl/8Oku0ahVA8hCbrFNKU6vsCfSPntqMj9vszozJ6gFKap9zh0 AUNWvQYefjAKpgNBLEuClU7r39i7HdsZxUe7YwCjDMHZSgaV5SECAsbME/WgI36H jBTh/7GvZuwI3Qd38FOzl7hJBnFhMQ== =Dly2 -----END PGP SIGNATURE-----